Scenario 3.1a: Malicious HTTPS File Serving#
Purpose#
Scan network traffic for instances of malicious files being transmitted over HTTPS.
Description#
This demonstration shows how decrypted traffic can be utilized to identify, collect, and report on potential malware being communicated over the network. A traffic generation script will be used to relay payloads over HTTPS to demonstrate this capability.
Procedure#
Use script3.1a to make a request to a webserver configured to serve a malicious file.
Observe the detection of the malicious file’s hash in NetScout’s Security Events Center.
Expected Outcome#
The malicious file served over HTTP is detected as malicious by NetScout’s internal IDS.
Passive |
Active |
||||||
|---|---|---|---|---|---|---|---|
Bounded Life-Time |
Exported Session Key |
Break & Inspect (Mira) |
Break and Inspect (F5) |
||||
Real-Time |
Post-Facto |
Real-Time |
Post-Facto |
Real-Time |
Post-Facto |
Real-Time |
Post-Facto |
Pass |
Pass |
Pass |
Pass |
Pass |
Pass |
Pass |
Pass |
Screenshots#
Detection of malicious file being transmitted over decrypted HTTPS.#